One FDA Notification in a Database Log. One Phone Call. One Trade. Four People Whose Professional and Personal Lives Change Completely.

Quick Answer

Can one employee’s insider trading violation expose an entire non-public company to legal liability?

Yes — through the Master Service Agreement, their CEO signed with the public company client. When a vendor company executes an MSA that includes an NDA, it binds the entire organization and every employee assigned to that account to a duty of trust toward the client. That duty of trust is the legal bridge that creates misappropriation liability for the employee who trades and breach of contract liability for the company that employs them.

The CEO who signed the MSA created a securities law compliance obligation for his workforce the moment the ink dried. Whether he knew it or not is irrelevant to the liability. Whether his employees were trained on it determines whether the violation was foreseeable — and whether the company’s exposure extends beyond breach of contract into negligence.

The Cascade That Follows

What Alex does in the next ten minutes sets off a chain of consequences that will reach four people across two companies. None of them, except Alex, will have chosen to be in the situation they find themselves in. All of them will have decisions to make that they are almost certainly not trained for.

Perspective 1 — Alex Reyes, Vendor Tech Support

Pressure: Opportunity · Greed · Deliberate Concealment

Alex stares at the notification. He knows what it means. He has worked on enough BioNovex tickets to understand that this drug is the company’s entire pipeline. BioNovex stock is sitting at $24. An FDA approval on an oncology asset like this moves stocks 40 to 80 percent. He does the math in his head in seconds.

He also knows, somewhere, that this feels wrong. He doesn’t buy the stock himself. He steps outside to the parking lot and calls his sister, Susan. He tells her to open her brokerage app and buy BioNovex. He tells her not to ask questions. He believes the distance between himself and the trade — her name on the account, her money, her brokerage — creates enough separation to avoid detection.

He is wrong about this in every possible direction. The attempt to conceal the trade through Susan doesn’t reduce his exposure. It adds a conspiracy charge to a misappropriation charge, making Susan a co-defendant.

Perspective 2 — Susan Reyes, Alex’s Sister

Pressure: Relationship · Ambiguity · Deliberate Avoidance

Susan is a nurse practitioner with a small brokerage account she rarely touches. She has never heard of BioNovex Therapeutics. Her brother calls her on a Tuesday morning, tells her to buy shares in a company she doesn’t know, and explicitly tells her not to ask why. Something feels off. She asks once: “Why this company?” Alex says, “I can’t explain right now. Just do it.”

She buys 800 shares at $24.20. She tells herself she trusts her brother completely. She has chosen not to examine what that trust is built on today.

Susan is not an innocent victim. The legal doctrine of willful blindness holds that deliberately avoiding facts that would reveal wrongdoing is treated as equivalent to actual knowledge. Susan sensed the situation was suspicious and chose not to investigate. That choice is her liability — not just the trade itself.

Perspective 3 — Rachel Chen, BioNovex CCO

Pressure: Organizational Crisis · Regulatory Obligation · Reputational Exposure

Thursday morning — the day after the FDA approval announcement and 73% stock move — Rachel’s equity monitoring service flags unusual options activity: a small retail account with no prior history in BioNovex stock bought 800 shares at $24.20 on Tuesday. She pulls the DLP system report and finds that the vendor support session flagged a read of the FDA gateway notification at 9:47 am Tuesday — forty-three minutes before Susan’s brokerage timestamp.

Rachel did nothing wrong. Her organization’s vendor controls are in order. She has an active MSA with an NDA. Her DLP flagged the access. Her equity monitoring flagged the trade. Everything worked exactly as designed.

She is still in the worst compliance situation of her career. She has a 43-minute timestamp connecting a vendor employee’s system access to a suspicious retail trade. The SEC will find the same dots she just found. The only question is whether BioNovex gets ahead of it or waits to be called.

Perspective 4 — Marcus Webb, CEO of the Vendor Company

Pressure: Organizational Liability · Contract Breach · Training Gap Accountability

Marcus built the vendor company over eleven years. They have 32 employees, 14 active enterprise clients, and 9 of those clients are publicly traded companies. Twelve months ago, his legal team sent him the BioNovex MSA for signature. He read the scope of services section, noted the payment terms, and signed. The NDA clause was standard boilerplate. Nobody flagged it as a securities compliance document. Nobody suggested it required an update to employee training.

Thursday afternoon, Marcus receives a call from BioNovex’s general counsel. They have identified a potential insider trading event connected to a vendor support session. They have the DLP timestamp. They have the trading record. They are requesting preservation of all access logs, session records, and employee communication records from Tuesday’s support visit. They will be cooperating fully with the SEC.

Marcus now faces four simultaneous crises. A civil breach of contract claim from BioNovex. Potential SEC scrutiny of his company’s internal controls. The question is whether to cooperate proactively with investigators, which means producing records documenting exactly how and when Alex had access. And the audit question that no one has yet asked aloud but everyone is about to: how many of his other thirty-one employees are working on publicly traded client accounts under the same NDA framework with the same training gap?

The MSA Marcus signed created a securities law compliance obligation for his entire workforce. He did not know that. His employees were not trained on it. Alex did not know he was a de facto insider the moment he logged into BioNovex’s system. That training gap is now the central fact of every conversation Marcus is going to have for the next eighteen months.

✖ Choice A — Call Susan (wrong)

Use Susan’s account to create distance from the trade. He doesn’t work for BioNovex. His name won’t be on it. The misappropriation theory says otherwise — and the conspiracy charge says distance makes it worse.

Choice B — Don’t trade, say nothing (insufficient)

Avoid the trade but leave an undisclosed accidental breach sitting in the system. If it surfaces without a disclosure record, silence looks like concealment.

✔ Choice C — Document and report same day (correct)

Close the session, document in writing that the accidental access occurred and when, and report to his own company’s compliance team immediately. That paper trail is his protection and his employer’s protection.

✖ Choice A — Make the trade (wrong)

Trust Alex, don’t ask questions, execute the trade. Willful blindness is not a shield — it is evidence of knowing participation.

Choice B — Refuse (safe but incomplete)

Decline to make the trade. Protects Susan but leaves Alex without the intervention he needs before he does something else with what he saw.

✔ Choice C — Refuse and name it (correct)

Refuse, tell Alex directly that “don’t ask questions” sounds like insider trading, and tell him to call his company’s compliance team before he does anything else with whatever he saw. The best outcome for both of them starts here.

✖ Choice A — Monitor and wait (wrong)

The DLP flag could be a false positive. Avoid escalating prematurely. When the SEC finds the same 43-minute timestamp, “we monitored and waited” does not read as good faith.

Choice B — Brief legal and investigate (necessary)

Brief general counsel immediately, preserve all logs, begin a formal internal investigation, and brief the audit committee. Necessary but incomplete without external action.

✔ Choice C — Brief legal, investigate, and contact the vendor (correct)

Everything in Choice B, plus proactively contacts the vendor’s legal team with the DLP evidence and timeline before the SEC initiates contact. Documented immediate good-faith response is BioNovex’s strongest organizational protection.

✖ Choice A — Minimize and defend (wrong)

Treat this as a single employee’s bad decision that does not reflect on the company. Produce only what is legally required. Resist the audit of other client accounts. Every instinct to protect the company by limiting disclosure makes the company’s position worse.

Choice B — Cooperate and preserve (necessary)

Retain outside counsel immediately. Preserve all records. Cooperate fully with BioNovex and any SEC inquiry. Necessary — but still reactive without addressing the underlying training gap.

✔ Choice C — Cooperate fully and audit every client account (correct)

Retain counsel, cooperate fully, preserve everything — and immediately audit every other publicly traded client account to identify which employees have similar system access under similar NDA frameworks with the same training gap. Deploy insider trading training for all affected employees before another ticket is opened. That audit is both an ethical obligation and a legal protection.

The Right Calls

Alex: Choice C.

The only call that creates a paper trail demonstrating the access was accidental and the response was immediate. Choice A adds conspiracy charges to misappropriation. Choice B leaves an undisclosed breach that looks like concealment when discovered.

Susan: Choice C.

Refusing protects Susan. Naming what she suspects and sending Alex to compliance protects both of them. The best outcome for the family requires Susan to say the word neither of them wants to say.

Rachel: Choice C.

BioNovex is the victim — but the SEC will scrutinize how and when it knew, and what it did with that knowledge. Proactive, transparent, documented response is the only posture that demonstrates the organization acted in good faith from the moment it connected the dots.

Marcus: Choice C.

Full cooperation is necessary. The audit of every other publicly traded client account is the difference between one incident and a systemic pattern. If another employee on another account has seen something they shouldn’t have, Marcus needs to know before investigators do. The training gap that produced this situation is the single most important thing Marcus can fix — not for this case, but for every active support ticket his team opened this morning.

The MSA is not a routine document — it is a securities law compliance instrument.

Every Master Service Agreement containing an NDA that covers access to a publicly traded company’s systems creates a duty of trust between the vendor and the client. That duty of trust is the legal bridge under the misappropriation theory. The CEO who signs it is not signing a standard vendor agreement — he is binding his workforce to a securities law obligation. Most vendor company CEOs have signed dozens of these agreements without being told that. The NDA clause that takes up three paragraphs in an eighteen-page contract is the mechanism that makes Alex a de facto insider the moment he logs in.

The attempt to use a family member’s account is the most commonly detected insider trading pattern in SEC enforcement.

Family member accounts, dormant accounts suddenly activated, and third-party accounts with no prior history in a stock that trades in the window before material announcements are primary surveillance flags. Alex’s instinct to create distance through Susan is exactly the pattern the SEC’s algorithms are calibrated to find. The concealment attempt doesn’t reduce his exposure — it creates a conspiracy charge and makes Susan a co-defendant. The distance he tried to create becomes the evidence of his intent.

The organizational cost lands on both companies — one as the victim, one as the respondent.

BioNovex did everything right. They have vendor controls, DLP monitoring, equity surveillance, and a functioning MSA. They are still managing an SEC inquiry, a board briefing, an audit committee disclosure, and a vendor relationship review, all of which will require significant time and legal fees. Rachel’s crisis is the organizational cost of a training gap at the vendor level that BioNovex could not control. Marcus’s crisis is the organizational cost of a training gap at his own company that he created by signing documents without understanding their compliance implications.

The training gap that caused this exists at millions of non-public companies right now.

SaaS companies, IT service firms, consulting practices, law firms, accounting firms, and clinical research organizations whose employees routinely work inside public company systems have almost universally never received insider trading training — because their employers don’t believe it applies to non-public companies. The misappropriation theory has existed since 1997. EU MAR Article 8 is unambiguous. The obligation is not new. The awareness gap is. Every support ticket opened on a publicly traded client’s system is a moment where an untrained employee could see something that creates a securities law obligation they don’t know they have.

Does an NDA in a Master Service Agreement create insider trading obligations?

Yes — indirectly but consequentially. The NDA creates a duty of trust and confidence between the vendor company and the client. Under the misappropriation theory of insider trading established in United States v. O’Hagan (1997), a person who trades on MNPI misappropriated from a source in breach of a duty of trust commits securities fraud. The NDA is the legal mechanism that creates that duty for vendor employees accessing client systems. When a CEO signs an MSA containing an NDA covering a publicly traded client’s confidential information, he creates a securities law compliance obligation for every employee deployed on that account — whether or not anyone at the vendor company understands that is what happened.

Can a vendor company face legal liability when one of its employees commits insider trading using a client’s data?

Yes — on multiple grounds. The MSA breach of contract claim arises because the NDA was violated when the vendor employee used client data for personal gain. The client can pursue damages arising from that breach, which extend well beyond the value of the trade itself to include legal fees, regulatory response costs, and reputational harm. Depending on the adequacy of the vendor company’s internal controls and training, the SEC may also examine whether the company’s failure to train employees on their securities obligations constitutes a control failure. The individual employee faces personal criminal charges. The company faces civil exposure. Neither outcome depends on the other.

What should vendor companies do to protect themselves when they service publicly traded clients?

Three categories of action are required. First, legal review: have counsel assess every MSA containing an NDA covering access to publicly traded client systems and identify which employees are deployed on those accounts. Second, training: deliver insider trading compliance training specifically covering the misappropriation theory and EU MAR Article 8 to every employee with system access to public company data — not as annual general training, but as account-specific onboarding. Third, incident protocols: establish clear procedures for employees who accidentally encounter material nonpublic information during client work, including immediate documentation and same-day reporting to the company’s legal or compliance function.

What should a vendor employee do if they accidentally see material nonpublic information in a client’s system?

Stop accessing the information immediately and close the relevant session. Document in writing — the same day — what was seen, when, and that the access was accidental. Report to the company’s legal or compliance function the same day. Do not trade, do not disclose to anyone, and do not delay. The documented paper trail of immediate good-faith response is the employee’s protection and the company’s protection. The company’s legal team will then assess obligations to notify the client and any relevant authorities.

Should enterprise companies require insider trading training as part of vendor management?

Increasingly, yes. Enterprise vendor management programs are adding compliance training requirements to vendor contracts, particularly for suppliers with production system access to sensitive data. Requiring that vendor employees who access company systems complete insider trading training — and that the vendor company certify that training as part of the annual MSA review — addresses the training gap at the source. BioNovex cannot control whether Alex’s employer trains him. They can make that training a contractual requirement before the next MSA is signed.

How to Use This Scenario in Training

This is the only four-perspective scenario in the insider trading cluster and the only one that targets non-public company employees. Run Alex’s moment with any technical, implementation, or consulting team whose work gives them system access to publicly traded client environments. Run Marcus’s moment with CEOs, COOs, and general counsels at vendor companies as a contract review and training gap exercise. Run Rachel’s moment with CCOs and compliance teams as a vendor management risk scenario.

The most effective debrief question for non-public company technical teams: “Name one client you currently support who is publicly traded. Name one piece of information you could theoretically encounter in their systems that would move their stock price. Did you know that information creates a federal securities law obligation for you — not because of who you work for, but because of the agreement your company signed with their procurement team?”

For enterprise vendor management teams: this scenario makes the business case for adding insider trading training certification requirements to MSA renewals for vendors with production system access.

Is It Insider Trading If I Didn’t Trade? →

The tipping violation from inside a public company. An engineer, a friend, and the SEC surveillance algorithm that connected them.

Can I Tell My Spouse About Company Earnings? →

The dinner table financial planning conversation that becomes a tipping violation. Two perspectives.